Free Malware Removal Forum

Welcome to MalwareRemoval.com,What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

You appear to have no antivirus software running (Spybot is not an antivirus program). Without antivirus software your computer is very vulnerable and can easily be infected at any time so it it is essential you have one active at all times.

If you have no antivirus program then download and install one immediately, update the definitions and set it to update automatically.Please ensure you have one antivirus program installed before continuing

1. I have downloaded/installed Avast antivirus. The installation required a reboot. The system seemed to partially load windows, the system would hang after the initial windows splash screen. The image of the desktop appeared, but windows would not fully load. I let it sit for 3 minutes, and tried multiple times. I finally F8 and booted to the last known good configuration. Windows is functioning OK, and Avast found the two files that seem to be suspect. It was unable to quarentine those two files. Part of Avast is not running, Avast is reporting that there is something wrong with the "RPC Server.'

2. I uploaded the igmpagnt32.dll file to the BleepingComputer site.

3. I downloaded and ran the RSIT program, and generated the following log files:Logfile of random's system information tool 1.04 (written by random/random)Run by Jayne at 2008-11-11 21:03:55Microsoft Windows XP Home Edition Service Pack 2System drive C: has 61 GB (85%) free of 73 GBTotal RAM: 446 MB (34% free)

OK, I ran anti-malware, and it found several items, and was able to quarentine/delete most, but required a reboot to delete (2) during boot. I will post two anti-malware logs:Malwarebytes' Anti-Malware 1.30Database version: 1391Windows 5.1.2600 Service Pack 2

Restrictions have been placed on Internet Explorer control panel options, probably for security reasons by Spybot S&D. If however you wish to remove these restrictions then please check this line also:

Return to OTMoveIt3, right-click in the "Paste instructions for items to be moved" window (under the yellow bar) and choose Paste

Then click the red MoveIt! button.

Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of it and pressing CTRL + C (or, after highlighting, right-click and choose Copy), and paste it into your next response.

If OTMoveIt asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.

1. I uninstalled Avast, and re-installed Avast. This installation was completely successful. It wanted a scan during a reboot, and I allowed it to do so. It found the igmpagnt32.dll file and I chose to delete it during its' scan.

Please accept my apologies for doing work on my own, but I felt very confident in Avast, and wanted to get it up and running.

2. I ran unDll and when I went to browse for the infected file, it was gone. (Avast successfully deleted it previously.)

3. I ran Hijackthis and selected the (3) lines you suggested, and hit "fix selected." The latest HijackThis log is at the end of this post:

OTMoveIt3 by OldTimer - Version 1.0.7.0 log created on 11122008_205503

Files moved on Reboot...C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat moved successfully.File C:\WINDOWS\temp\_avast4_\Webshlock.txt not found!C:\WINDOWS\temp\Perflib_Perfdata_6a8.dat moved successfully.C:\Documents and Settings\Jayne\Local Settings\Application Data\Mozilla\Firefox\Profiles\y1c863kp.default\Cache\_CACHE_001_ moved successfully.C:\Documents and Settings\Jayne\Local Settings\Application Data\Mozilla\Firefox\Profiles\y1c863kp.default\Cache\_CACHE_002_ moved successfully.C:\Documents and Settings\Jayne\Local Settings\Application Data\Mozilla\Firefox\Profiles\y1c863kp.default\Cache\_CACHE_003_ moved successfully.C:\Documents and Settings\Jayne\Local Settings\Application Data\Mozilla\Firefox\Profiles\y1c863kp.default\Cache\_CACHE_MAP_ moved successfully.C:\Documents and Settings\Jayne\Local Settings\Application Data\Mozilla\Firefox\Profiles\y1c863kp.default\XUL.mfl moved successfully.

I uninstalled Avast, and re-installed Avast. This installation was completely successful. It wanted a scan during a reboot, and I allowed it to do so. It found the igmpagnt32.dll file and I chose to delete it during its' scan.

We already had one failed installation due to malware so there was some risk in doing this. Antivirus programs are very intrusive so if they aren't working normally they can cause serious system problems. I had intended to make sure the malware was inactive before resolving the issue, but I am of course very glad that it worked out and it appears that things have gone to plan

Please open HijackThis, select Open the Misc Tools sectionPress the Open Uninstall Manager... buttonScroll down the list and find this entry (if present):

Antivirus Pro 2009

Click it to highlight it, press Delete this entry and say Yes to the promptClose HijackThis

Please open Start->Control Panel->Add/Remove Programs, and remove J2SE Runtime Environment 5.0 Update 6. This is out of date and now a security risk, you already have a current version installed (Java(TM) 6 Update 7).

You have Viewpoint Media Player installed on your system. This program is not malware but it is foistware in that it is usually installed without the user's knowledge or approval, and for this reason I recommend you remove it. If you actually use this program, I recommend you try using safe and free alternatives such as VLC Media Player.Viewpoint Media Player can be removed via Add/Remove Programs

OK, 1. I removed the antivirus2009 from the uninstallation list2. I uninstalledthe old Java Runtime, and the "foistware"3. I downloaded Gmer, and after disconnecting from the internet, ran Gmer, and the log is posted below:4. I reconnected to internet and ran the ESET tool, it's log is at the end of this post.

Thanks again for your assistance. this malware is tricky, and I would not have kept going if I was on my own.

OK, well, the system is running very well. The most visible symptom that made me think mal-ware was running was when using Internet Explorer, almost every Google search would always result in the same internet retailer websites being listed first. No matter if I was searching "cute puppies" or "monster trucks," the same search results would appear.

That symptom is gone. THe PC seems to be running very quick too!

I purged the "recovery" items from spybot.

Do you have any resident programs that you would recommend to stop further malware? (Or do you trust avast! to do malware as well as viruses?)

I'm glad to hear things are running better and I have some recommendations for you but there is some tidying up to do first:

Clean up with OTMoveIt3:

Double-click OTMoveIt3.exe to start the program.

Close all other programs apart from OTMoveIt3 as this step will require a reboot

On the OTMoveIt3 main screen, press the CleanUp! button

Say Yes to the prompt and then allow the program to reboot your computer.

Please now delete rsit.exe, UnDLL, Gmer.exe and any remaining logs from your Desktop, also delete this folder:

C:\rsit

Create a new, clean System Restore point which you can use in case of future system problems:Press Start->All Programs->Accessories->System Tools->System RestoreSelect Create a restore point, then Next, type a name like All Clean then press the Create button and once it's done press Close

Now remove old, infected System Restore points:Next click Start->Run and type cleanmgr in the box and press OKEnsure the boxes for Recycle Bin, Temporary Files and Temporary Internet Files are checked, you can choose to check other boxes if you wish but they are not required.Select the More Options tab, under System Restore press Clean up... and say Yes to the promptPress OK and Yes to confirm

If the above went well I think your machine is clean of malware here are some recommendations to help you keep it that way:

Avast is an excellent antivirus program, however I recommend you install antispyware software with real-time capabilities - this means it protects you from system changes and spyware while you are working, not just removing malware after it has been installed. There are a range of paid-for and free packages available, a free one I can recommend is Windows Defender, available here:http://www.microsoft.com/athome/securit ... fault.mspx

I recommend you install a custom hosts file such as MVPS HOSTS. This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.For information on how to download and install, please read this tutorial by WinHelp2002Note: Be sure to follow the instructions to disable the DNS Client service before installing a custom hosts file.Also: subscribe to the mailing list to get update notifications.

Please take care when downloading programs. One of the easiest ways to be infected is to download freeware/shareware programs which come laden with malware - this includes allowing websites to install browser plug-ins or ActiveX controls. Before downloading, it is crucial to check whether the source is reputable.One way to check is to use McAfee SiteAdvisor. Copy the domain name into the space provided and SiteAdvisor will give you a report on the website which can help you decide if it is safe. They also have a toolbar for IE and Firefox which adds this functionality to your browser.

Download and install the free version of WinPatrol. This program protects your computer in a variety of ways and will work well with your existing security software. Have a look at this tutorial to help you get started with the program.

Who is online

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.